如何在JSTL函数/ EL中转义双引号? [英] How to escape double quotes in JSTL function / EL?
问题描述
我需要通过 \ 。 oracle.com/javaee/5/jstl/1.1/docs/tlddocs/fn/replace.fn.html rel = noreferrer> JSTL替换函数在输入标记中使用字符串,例如:
I need to change " to \" with JSTL replace function to use the string in input tag like:
<input type="hidden" name="text" size="40" value="${text}">
如果 $ {text} 具有 ,HTML将被破坏。
If the ${text} has the ", the HTML will be broken.
所以我尝试了
<input type="hidden" name="text" size="40" value="${fn:replace(text, "\"", "\\\""}">
和
<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '\"'}">
但没有用。该页面会出现类似
but didn't worked. The page makes errors like
org.apache.el.parser.ParseException:在
第1行第32列遇到}}期望以下之一:
。 ...
) ...
[ ...
, ...
> ...
gt ...
< ...
lt ...
> = ...
ge ...
< = ...
le ...
== ...
eq ...
!= ...
ne ...
&& ...
和 ...
|| ...
或 ...
* ...
+ ...
- ...
/ ...
div ...
% ...
mod ...
org.apache.el.parser.ParseException: Encountered " "}" "} "" at line 1, column 32. Was expecting one of: "." ... ")" ... "[" ... "," ... ">" ... "gt" ... "<" ... "lt" ... ">=" ... "ge" ... "<=" ... "le" ... "==" ... "eq" ... "!=" ... "ne" ... "&&" ... "and" ... "||" ... "or" ... "*" ... "+" ... "-" ... "/" ... "div" ... "%" ... "mod" ...
我该怎么做?
更新
我错过了替换功能的详细介绍。右边的那个是括号很近的那个:
I missed a close paren of replace function. The right one was this one with a close paren:
<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '\"')}">
Update2
我发现在发布文本时,使用 \ 不是一个好主意,因为这个原因。代码应如下所示:
I found out that when posting texts, using \ is not a good idea because of this reason why can't use \" in HTML input tag?. The code should be like this:
<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '"')}">
推荐答案
它不起作用,因为 \ 是Java字符串中的转义字符。需要再次用另一个 \ 进行转义。 是EL中的特殊字符,您还需要对其进行转义以从字面上表示它。因此,正确的语法应该是:
It doesn't work because the \ is an escape character in Java string. To represent it literally, you need to escape it with another \ again. Also the " is a special character in EL, you also need to escape it to represent it literally. So, the proper syntax would have been:
<input type="hidden" name="text" size="40" value="${fn:replace(text, '\"', '\\\"'}">
但是,实际上您应该使用
<input type="hidden" name="text" size="40" value="${fn:escapeXml(text)}">
另请参见:
- JSP / Servlet Web应用程序中的XSS防护
- XSS prevention in JSP/Servlet web application
See also:
这篇关于如何在JSTL函数/ EL中转义双引号?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
